Skip to main content

FBI warns Kali365 phishing platform is targeting Microsoft 365 users; Floridians report $12 million in losses

FBI Computer scam generic (WJXT, Copyright 2026 by WJXT News4JAX - All rights reserved.)

FLORIDA – The FBI’s Internet Crime Complaint Center said that Florida residents are among those being targeted by a phishing-as-a-service platform called Kali365 that is aimed at users of Microsoft 365 products.

According to the IC3’s 2025 Internet Crime Report, Floridians reported more than $12 million in losses to phishing — a sharp rise from roughly $4 million the previous year. Phishing is a cyber scam in which criminals use email or malicious websites to steal information. They lure victims by pretending to be trusted sources, then trick them into revealing passwords, financial data or other sensitive information.

Recommended Videos


The FBI said Kali365 is targeting popular Microsoft 365 tools, including Outlook, Teams and OneDrive. The platform can capture access tokens and bypass multi-factor authentication without needing a user’s password, allowing attackers to access accounts even when extra authentication steps are in place.

Phishing schemes first appeared in the mid-1990s and have remained a staple of the cybercrime playbook. The FBI and private-sector security officials say the techniques have grown steadily more sophisticated.

“Kali365 is yet another reminder that threat actors continue to adapt in a constantly shifting landscape,” said FBI Tampa Cybercrime Supervisory Special Agent Tim Callinan. “Human behavior remains the most vulnerable point in any cybersecurity strategy. It is the responsibility of every organization to provide continuous workforce training, enforce strong password standards, and wherever possible, mandate the use of physical hardware tokens to ensure robust multi-factor authentication.”

The FBI and IC3 recommend steps to reduce risk:

  • Do not click links or open attachments in unsolicited emails.
  • Verify sender addresses and watch for misspellings or unusual domains.
  • Use strong, unique passwords and turn on multi-factor authentication.
  • When possible, use physical hardware tokens for multi-factor authentication.
  • If unsure, go directly to the service’s website instead of following links in email.

Anyone who believes they were targeted or victimized should file a complaint with the FBI’s Internet Crime Complaint Center at ic3.gov. Crime reports are used for investigative and intelligence purposes, and rapid reporting can help support the recovery of lost funds.

Click here to learn more.